Updated: 15 Apr 2026
The GxP audit team arrives at the Hyderabad plant. Batch records are pristine. Deviation logs are complete. Standard operating procedures are current, signed, and filed. The manufacturing execution system reflects every process step as designed.
Then someone asks who has access to the MES. Not the process running inside it. The credentials that open it.
The answer is complicated.
GxP compliance covers processes. GMP governs manufacturing. GLP governs laboratory studies. 21 CFR Part 11 governs electronic records. None of them governs whether the people accessing those systems are who they say they are.
FDA 21 CFR Part 11 requires that electronic records in GxP environments be accessible only to authorised individuals. Shared login credentials and unaudited access rights fail that requirement by definition. The regulation requires system access to be controlled, individual identity to be established before access is granted, and the audit trail to log individual identity for every record interaction.
Multi-factor authentication is not named in 21 CFR Part 11. Individual accountability is. In 2026, individual accountability without MFA is not a defensible position in a US FDA inspection or a CDSCO review.
CERT-In's mandatory audit framework adds a parallel obligation: annual cybersecurity audits requiring MFA for all remote access and 180-day log retention. Indian pharmaceutical companies now face simultaneous 21 CFR Part 11 individual access requirements and CERT-In mandatory audit obligations, both requiring MFA across manufacturing execution systems, laboratory information management systems, and clinical data environments.
CDSCO's increasing alignment with FDA validation standards means Indian pharmaceutical manufacturers face examination pressure from both domestic and international regulators at the same time.
GxP compliance covers the process. CERT-In covers the login. The gap between them is where the exposure sits.
In Proactive's Cisco Duo deployments across Indian pharmaceutical and life sciences environments in Hyderabad, Baddi, and Pune, credential audits consistently find shared accounts on laboratory information management systems and manufacturing execution systems: the exact access points 21 CFR Part 11 addresses. Quality control analysts share a single LIMS login. The MES has an administrator account used by three people. The CRO with remote access to clinical trial data holds credentials not rotated since the study began.
None of these appear in the GxP deviation log.
Cisco Duo, Cisco's identity security platform, enforces named individual MFA across every system in the GxP environment: MES, LIMS, ERP, laboratory instruments with network connectivity, and remote access for CROs and technology vendors. Without requiring any of those systems to be replaced or revalidated from scratch.
The authentication logs, individually attributed, timestamped, and exportable, satisfy both 21 CFR Part 11 audit trail requirements and CERT-In 180-day retention obligations from a single platform.
Proactive is a Cisco Preferred Security Partner deploying Cisco Duo across Indian pharmaceutical manufacturing and life sciences environments in Hyderabad, Baddi, and Pune. The credential audit precedes every deployment. It finds what the GxP audit does not look for.
Your process is validated.
Your login should be too.
Talk to a Proactive Cisco Duo specialist. Write to [email protected].
We'll get back to you shortly.
